advisories,

CVE-2006-6104: Mono XSP ASP.NET Server sourcecode disclosure

Jose Ramon Palanco Jose Ramon Palanco Follow Dec 21, 2006 · 3 mins read
CVE-2006-6104: Mono XSP ASP.NET Server sourcecode disclosure
Share this

The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.

Researcher

José Ramón Palanco: jpalanco@gmail.com

Details

Time Line

  • Nov 29, 2006: Discovered security issue by Jose Ramon Palanco
  • Nov 30, 2006: Reported to Mono Project
  • Dec 1, 2006: Patch in subversion rev 68776
  • Dec 5, 2006: Mono is testing the patch and building packages for the fix
  • Dec 19, 2006: Published advisory

Vulnerability

Source Code Disclosure and Configuration Disclosure

Attackers use source code disclosure attacks to try to obtain the source code of server-side applications. The basic role of Web servers is to serve files as requested by clients. Files can be static, such as image and HTML files, or dynamic, such as ASPX, ASHX, ASCX, ASAX, webservices like ASMX files and any language supported by Mono like: C#, boo, nemerle, vb files: .cs, .boo, vb, .n, … When the browser requests a dynamic file, the Web server first executes the file and then returns the result to the browser. Hence, dynamic files are actually code executed on the Web server.

Using a source code disclosure attack, an attacker can retrieve the source code of server-side file. Obtaining the source code of server-side files grants the attacker deeper knowledge of the logic behind the Web application, how the application handles requests and their parameters, the structure of the database, vulnerabilities in the code and source code comments. Having the source code, and possibly a duplicate application to test on, helps the attacker to prepare an attack on the application.

An attacker can cause source code disclosure using adding %20 (space char) after the uri, for example http://www.server.com/app/Default.aspx%20

Update: is also possible retrieve Web.Config file. This file contains sensible information like credentials.

Products and Versions

Type Vendor Product Version
Application Mono XSP 1.1
Application Mono XSP 1.2.1
Application Mono XSP 2.0

CPE v2.3

  • cpe:2.3:a:mono:xsp:1.1:::::::*
  • cpe:2.3:a:mono:xsp:1.2.1:::::::*
  • cpe:2.3:a:mono:xsp:2.0:::::::*

OVAL Definitions

Title Definition id Family
mono-web ASP.net sourcecode disclosure oval:org.mitre.oval:def:2092 unix

CVSS Scores & Vulnerability Types

Name Value
CVSS Score 5.0
Confidentiality Impact Partial (There is considerable informational disclosure.)
Integrity Impact None (There is no impact to the integrity of the system)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s)  
CWE ID CWE id is not defined for this vulnerability

References

Jose Ramon Palanco
Written by Jose Ramon Palanco Follow
Jose Ramón Palanco founded Dinoflux at 2014, a Threat Intelligence startup acquired by Telefonica, currently he works for 11paths since 2018. He worked also for Ericsson at R&D department and Optenet (Allot). He studied Telecommunications Engineering at the University of Alcala de Henares and Master of IT Governance at the University of Deusto. He has been a speaker at OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin... He has published several CVE and different open source tools for cybersecurity like nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, ...